In this security release, we have fixed a critical vulnerability in addition to the usual bug fixes, as well as two other general security improvements. Affected are the Shopware versions from 6.1.0 up to and including 22.214.171.124. The following vulnerabilities have been fixed with this security update:
NEXT-13371 - Leak of information via Store-API
NEXT-12824 - Generation of fake documents via public GET-call
NEXT-13247 - Improvement of API token invalidation
The vulnerability from NEXT-13371 could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.
We recommend to update to the current version 126.96.36.199. You can get the update to 188.8.131.52 regularly via the Auto-Updater or directly via the download overview.